Closed Bug 1361509 Opened 7 years ago Closed 7 years ago

coverity report: Non-static class member "mSource" is not initialized in this constructor nor in any functions that it calls.

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Version:
53 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox53 --- wontfix
firefox54 --- wontfix
firefox55 --- fixed

People

(Reporter: MatsPalmgren_bugz, Assigned: longsonr)

References

(Blocks 1 open bug,
URL
)

Details

(4 keywords, Whiteboard: [CID 1405753][adv-main55-][post-critsmash-triage])

Attachments

(1 file)

patch
454 bytes, patch
MatsPalmgren_bugz
: review+
Details | Diff | Splinter Review 
Filing this as security sensitive just in case...
At first glance I can't find anyone initializing nsSVGGradientFrame::mSource.


** CID 1405753:  Uninitialized members  (UNINIT_CTOR)
/layout/svg/nsSVGGradientFrame.cpp: 34 in nsSVGGradientFrame::nsSVGGradientFrame(nsStyleContext *, mozilla::FrameType)()


________________________________________________________________________________________________________
*** CID 1405753:  Uninitialized members  (UNINIT_CTOR)
/layout/svg/nsSVGGradientFrame.cpp: 34 in nsSVGGradientFrame::nsSVGGradientFrame(nsStyleContext *, mozilla::FrameType)()
28     nsSVGGradientFrame::nsSVGGradientFrame(nsStyleContext* aContext,
29                                            FrameType aType)
30       : nsSVGPaintServerFrame(aContext, aType)
31       , mLoopFlag(false)
32       , mNoHRefURI(false)
33     {
>>>     CID 1405753:  Uninitialized members  (UNINIT_CTOR)
>>>     Non-static class member "mSource" is not initialized in this constructor nor in any functions that it calls.
34     }
35     
36     //----------------------------------------------------------------------
37     // nsIFrame methods:
38     
39     nsresult
Keywords: regression
OS: Unspecified → All
Hardware: Unspecified → All
Group: core-security → layout-core-security
I think this is sec-low at worst since it's a frame class allocated in the pres arena,
so there's no type confusion here.  Either mSource is null, or it points to a frame
that may or may not be alive but that frame is always allocated in the same arena,
so frame-poisoning will save us from being exploited.
Keywords: csectype-framepoisoning, sec-low
Could we initialize this member to nullptr in the ctor anyway, please?
Even if there *currently* is a path that init mSource before it's used,
it seems safer to always init it in the ctor.  Also, it shuts up Coverity
so that we don't have to look at this one again. :-)
I've no objections to doing that.
Blocks: coverity-analysis
Whiteboard: [CID 1405753]
Attached patch patchSplinter Review 
Assignee: nobody → longsonr

        Attachment #8865669 -
        Flags: review?(mats)

    
    

    
  
Do I need any additional approval to land this?

    
    

    
  
Comment on attachment 8865669 [details] [diff] [review]
patch

Thanks.

> Do I need any additional approval to land this?

No, only sec-high/sec-critical needs sec-approval.
https://wiki.mozilla.org/Security/Bug_Approval_Process

        Attachment #8865669 -
        Flags: review?(mats) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/f804bb28ab99
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox54:
          affectedwontfix

          status-firefox55:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Group: layout-core-security → core-security-release
Whiteboard: [CID 1405753] → [CID 1405753][adv-main55-]
Flags: qe-verify-
Whiteboard: [CID 1405753][adv-main55-] → [CID 1405753][adv-main55-][post-critsmash-triage]
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: